4 Replies Latest reply on Aug 3, 2018 7:51 AM by Philippe Marschall

    Readonly Auditor Role

    Philippe Marschall Expert

      We have a custom (legacy) server side LoginModule that needs to be able to flush the credential cache for a user on a login failure. We have this requirement because this came up in a security review. We achieve this by looking up the JMX bean for the security domain under the security bean and calling the fushCache method (see attachment).

      We are using the "rbac" access-control, not "simple". This has been working fine up until WildFly 12. Starting with WildFly 12 we need to give the the "anonymous" user the "Auditor" role (see also https://issues.jboss.org/browse/JBEAP-13845), otherwise the security domain JMX beans are not visible to the application. It seems as if the security domain JMX beans are now considered a sensitive resource. Unfortunately the "Auditor" role also has permissions to modify resources of administrative audit logging system (Role Based Access Control in WildFly 8 (Tech Tip #12) ). We would prefer to use a role that has only view and no modify permissions.

        • 1. Re: Readonly Auditor Role
          Martin Choma Master

          In jira you mentioned (JBEAP-13845), there is in workaround section written Monitor role should be enough. Could you have a try?

          • 2. Re: Readonly Auditor Role
            Philippe Marschall Expert

            mchoma  wrote:

             

            In jira you mentioned (JBEAP-13845), there is in workaround section written Monitor role should be enough. Could you have a try?

            The Monitor role is not enough, if I assign the Monitor role the mbeans for the security domains ("jaspitest", "jboss-ejb-policy", "jboss-web-policy", "other") under the "security" mbean will not be visible.

            • 3. Re: Readonly Auditor Role
              Martin Choma Master

              So what about tweak RBAC to let you call security domain jmx?

               

              E.g. does this makes it visible for Monitore role?

              /core-service=management/access=authorization/constraint=sensitivity-classification/type=security/classification=security-domain:write-attribute(name=requires-addressable,value=false)

              /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain:write-attribute(name=requires-addressable,value=false)

               

              Because security-domain is defined as

                  "access-constraints" => {
                      "sensitive" => {"security-domain" => {"type" => "core"}},
                      "application" => {"security-domain" => {"type" => "security"}}
                  },
              • 4. Re: Readonly Auditor Role
                Philippe Marschall Expert

                mchoma  wrote:

                 

                So what about tweak RBAC to let you call security domain jmx?

                 

                E.g. does this makes it visible for Monitore role?

                /core-service=management/access=authorization/constraint=sensitivity-classification/type=security/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                 

                Because security-domain is defined as

                    "access-constraints" => {
                        "sensitive" => {"security-domain" => {"type" => "core"}},
                        "application" => {"security-domain" => {"type" => "security"}}
                    },

                I get the following error message

                 

                $/core-service=management/access=authorization/constraint=sensitivity-classification/type=security/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                {

                  "outcome" => "failed",

                  "failure-description" => "WFLYCTL0201: Unknown attribute 'requires-addressable'",

                  "rolled-back" => true

                }

                $/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain:write-attribute(name=requires-addressable,value=false)

                {

                  "outcome" => "failed",

                  "failure-description" => "WFLYCTL0201: Unknown attribute 'requires-addressable'",

                  "rolled-back" => true

                }